<div class="help">
 <h1>$PROGRAM Help</h1>
 <h2>Contents</h2>
 <ul>
  <li><a href="#gen_info">General Information</a>
   <ul>
    <li><a href="#what_is">What is $PROGRAM?</a>
    <li><a href="#how_work">How does $PROGRAM work?</a>
    <li><a href="#how_use">How do I use $PROGRAM?</a>
   </ul>
  <li><a href="#tech_info">Technical Information</a>
   <ul>
    <li><a href="#how_really">How does $PROGRAM really work?</a>
    <li><a href="#anon">Does $PROGRAM allow me to browse anonymously?</a>
   </ul>
  <li><a href="#options">$PROGRAM Tab</a>
   <ul>
    <li><a href="#what_manage">Manage Tunnels</a>
    <li><a href="#what_enabled">$PROGRAM enabled</a>
    <li><a href="#what_hide">Hiding mode</a>
    <li><a href="#what_autolaunch">Auto-launch webui</a>
    <li><a href="#what_updates">Check for updates</a>
    <li><a href="#what_dns">DNS Hiding</a>
    <li><a href="#what_nat">Use NAT Traversal</a>
    <li><a href="#what_nat_meth">NAT traversal method</a>
    <li><a href="#what_hops">Ghost packet hops</a>
    <li><a href="#what_split">Packet splitting method</a>
    <li><a href="#what_multi">Multi-route Enabled</a>
   </ul>
  <li><a href="#log">Log Tab</a>
   <ul>
    <li><a href="#what_log">Log messages</a>
    <li><a href="#what_disp">Display Messages</a>
   </ul>
  <li><a href="#tunnels">Tunnels</a>
   <ul>
    <li><a href="#what_url">What is a tunnel URL?</a>
    <li><a href="#what_crypt">What is the crypt encoding?</a>
    <li><a href="#what_pad">What is the pad encoding?</a>
   </ul>
 </ul>
 <hr>
 <a name="gen_info"><h2>General Information</h2></a>
 <div class="question">
  <a name="what_is">What is $PROGRAM?</a>
 </div>
 <div class="answer">
  <p>
   $PROGRAM is a tool for bypassing ISP-level censorship systems.
   $PROGRAM is also an anti ISP-level traffic sniffing/logging tool.
  </p>
  <p>
   $PROGRAM:
   <ul>
    <li> <b>is free</b>.  $PROGRAM is 100% open source and free.
    <li> <b>is fast</b>.  $PROGRAM is based on one-way packet routing
        rather than proxy servers.
    <li> <b>keeps your IP address</b>.  $PROGRAM does not use proxy servers
        and thus will never change your IP address.
   </ul>
  </p>
 </div>

 <div class="question">
  <a name="how_work">How does $PROGRAM work?</a>
 </div>
 <div class="answer">
  <p>
   $PROGRAM works by rerouting web browser requests via encrypted
   <a href="http://en.wikipedia.org/wiki/Tunneling_protocol">tunnels</a>.
   This hides web browser requests from any ISP-level censorship system.
  </p>
  <p>
   Unlike proxy servers, VPN, Tor, etc., $PROGRAM simply reroutes web browser
   requests without changing your IP address.
   Web pages are sent directly to your computer from the web server, and
   not through an encrypted tunnel.
   This means lower latencies and higher bandwidth compared to other
   technologies.
  </p>
 </div>

 <div class="question">
  <a name="how_use">How do I use $PROGRAM?</a>
 </div>
 <div class="answer">
  <p>
   Simply:
   <ol>
    <li> Run the $PROGRAM executable.
    <li> Check that the "<i>TUNNELS</i>" control shows that
         at least one tunnel is open (green).
    <li> Use the configuration contols to tune
         $PROGRAM to suit your needs.
   </ol>
  </p>
 </div>

 <hr>
 <a name="tech_info"><h2>Technical Information</h2></a>
 <div class="question">
  <a name="how_really">How does $PROGRAM <i>really</i> work?</a>
 </div>
 <div class="answer">
  <p>
   To download and display a page, a web browser will open a TCP port 80
   (for HTTP) or TCP port 443 (for HTTPS) connection to a web server.
   It then sends a <tt>HTTP GET</tt> request to the web server, and the
   web server responds by sending a <tt>HTTP OK</tt> reply.
   The <tt>HTTP GET</tt> request contains the URL and the <tt>HTTP OK</tt>
   reply contains the web page.
  </p>
  <p>
   The requests are sent as <i>outbound</i> packets (from your computer to the
   server), whereas the
   replies are sent as <i>inbound</i> packets (from the server to your
   computer).
   Most ISP-level censorship systems work by intercepting
   outbound packets which contain the URL data.
   For HTTP the requested URL will be sent in clear text making such
   traffic completely vulnerable to such censorship systems.
   HTTPS offers more protection since the URL will be encrypted.
   However, HTTPS will send the domain name in clear text
   --- as part of the TLS <q>client hello</q> message ---
   meaning that even HTTPS is vulnerable to ISP-level censorship.
  </p>
  <p>
   $PROGRAM works by tunnelling outbound packets
   to a special server that forwards the packet to the web server.
   $PROGRAM does not tunnel any inbound packet --- these are sent directly
   from the web server to your computer via the normal route.
   This works because typical ISP-level censorship systems do not intercept
   inbound traffic.
  </p>
 </div>

 <div class="question">
  <a name="anon">Does $PROGRAM allow me to browse anonymously?</a>
 </div>
 <div class="answer">
  <p>
   No.
   $PROGRAM does not hide your IP address from web servers nor anybody
   inspecting inbound traffic.
  </p>
  <p>
   If you desire anonymous browsing, then $PROGRAM is not for you.
   For this we recommend using a proxy server, VPN, or
   <a href="http://www.torproject.org/">Tor</a>.
  </p>
 </div>

 <hr>
 <a name="options"><h2>$PROGRAM Tab</h2></a>
 <div class="question">
  <a name="what_manage">Manage Tunnels</a>
 </div>
 <div class="answer">
  <p>
   The <i>Manage Tunnels</i> control allows the user to open/close/delete
   tunnel URLs.
   Open tunnels are displayed in green, and closed tunnels in red.
  </p>
 </div>

 <div class="question">
  <a name="what_enabled">$PROGRAM enabled</a>
 </div>
 <div class="answer">
  <p>
   The <i>$PROGRAM enabled</i> control determines whether $PROGRAM is enabled
   or not.
   When disabled, $PROGRAM offers no protection against ISP-level censorship
   systems.
  </p>
 </div>

 <div class="question">
  <a name="what_hide">Hiding Mode</a>
 </div>
 <div class="answer">
  <p>
   The <i>Hiding Mode</i> control determines how outbound packets are tunneled
   or split.
   The options are:
   <ol>
    <li> <b>Off</b>: Do not tunnel/split any traffic.
    <li> <b>Passive (Split Only)</b>: Split outbound packets such that no
          single fragment contains a complete URL.
          This mode is effective against some ISP-level censorship technologies.
    <li> <b>Active-Low (Tunnel Partial URL)</b>: Similar to the above but
          tunnels one of the fragments containing URL data.
    <li> <b>Active-Medium (Tunnel Full URL)</b>: Similar to the above but
          tunnels a fragment containing the full URL.
    <li> <b>Active-High (Tunnel Data)</b>: Tunnels packets that contain data.
         TCP control packets such as SYNs, ACKs, etc., are not tunneled.
    <li> <b>Active-Highest (Tunnel Everything)</b>: Tunnel all outbound
         packets.
   </ol>
  </p>
  <p>
   <b><i>NOTE:</i></b> Whether or not an option is effective depends on the
   ISP-level censorship technology you wish to bypass.
   In a nutshell, the "<i>Active-Highest (Tunnel Everything)</i>" is the most
   conservative mode and is most likely to be effective.
   However, this mode is also the slowest because it tunnels the most packets.
   The "<i>Passive (Split Only)</i>" mode is the fastest but is
   only effective against specific inspection/logging systems that 
   (incorrectly) assume URL data will be contained within single packets.
   It is recommended you choose the least conservative mode that works.
  </p>
 </div>

 <div class="question">
  <a name="what_autolaunch">Auto-Launch WebUI</a>
 </div>
 <div class="answer">
  <p>
   The <i>Auto-Launch WebUI</i> control determines whether the $PROGRAM web UI
   is automatically launched on startup or not.
  </p>
 </div>

 <div class="question">
  <a name="what_updates">Check for Updates</a>
 </div>
 <div class="answer">
  <p>
   The <i>Check for Updates</i> control determines whether $PROGRAM will 
   automatically check for new versions or not.
   If a new version is available, then a message will be displayed on the
   Web UI.
  </p>
 </div>

 <div class="question">
  <a name="what_dns">DNS Hiding</a>
 </div>
 <div class="answer">
  <p>
   The <i>DNS Hiding</i> control determines whether DNS requests are tunneled
   or not (in addition to tunneling HTTP(S) requests).
   This may be useful against ISP-level censorship systems that use
   <a href="http://en.wikipedia.org/wiki/DNS_cache_poisoning">DNS Cache
   Poisoning</a>.
   To use this option, you must first configure your operating system to use an
   <i>external</i> DNS server such as
   <a href="http://code.google.com/speed/public-dns/">Google public DNS</a>
   or
   <a href="http://www.opendns.com/">OpenDNS</a>.
   Do <b>NOT</b> use the DNS provided by your ISP.
  </p>
 </div>

 <div class="question">
  <a name="what_nat">Use NAT Traversal</a>
 </div>
 <div class="answer">
  <p>
   Most home router/modems use
   <a href="http://en.wikipedia.org/wiki/Network_address_translation">
   Network Address Translation</a> (NAT) to allow multiple computers to share
   a single broadband connection.
   Because $PROGRAM tunnels TCP packets, a
   <a href="http://en.wikipedia.org/wiki/NAT_traversal">NAT traversal</a>
   method is required.
   The options are:
   <ul>
    <li> <b>Never</b>: Never use NAT traversal.
    <li> <b>Automatic</b>: Use NAT traversal only if a NAT is detected.
         NAT detection works by checking whether your computer's IP address is 
         private or public.
         A private address indicates that your computer is behind a NAT.
    <li> <b>Always</b>: Always use NAT traversal.
   </ul>
  </p>
 </div>

 <div class="question">
  <a name="what_nat_meth">NAT Traversal Method</a>
 </div>
 <div class="answer">
  <p>
   The <i>NAT Traversal Method</i> control determines how $PROGRAM should
   traverse the NAT (if present).
   $PROGRAM supports two main methods:
   <ul>
    <li> <b>Low time-to-live method</b>: This method substitutes a "ghost"
         packet for every packet that is sent via the tunnel.
         The ghost packet is given a low time-to-live (TTL) value to ensure
         it reaches the NAT but never reaches the destination web server.
    <li> <b>Bad checksum method</b>: This method substitutes a "ghost" packet
         with a bad TCP (or UDP) checksum.
         The ghost packet will reach the destination web server, however it 
         will be dropped because of the invalid checksum.
    <li> <b>Combination method</b>: This combines both the low TTL and bad
         checksum methods.
   </ul>
  </p>
  <p>
   <b><i>NOTE:</i></b> Ghost packets carry randomized payloads.
   The tunneled payload is never revealed by a ghost packet.
  </p>
  <p>
   <b><i>NOTE:</i></b> Only select the "<i>Bad checksum method</i>" if the
   "<i>Low time-to-live method</i>" does not work.
   The bad checksum method may waste web server bandwidth.
  </p>
  <p>
   <b><i>NOTE:</i></b> Some NAT implementations are incompatible with both
   traversal methods.
   In this case the only solution is to remove the NAT altogether, or
   to purchase a new router/modem with a compatible NAT.
  </p>
 </div>

 <div class="question">
  <a name="what_hops">Ghost Packet Hops</a>
 </div>
 <div class="answer">
  <p>
   If $PROGRAM is using the "<i>Low time-to-live method</i>" or
   "<i>Combination method</i>" for NAT traversal, the <i>Ghost Packet Hops</i>
   control determines how many hops the ghost packets live for.
   In other words, this option sets the IPv4 time-to-live (TTL) value for
   ghost packets.
   This should be the number of hops to your NAT plus 1.
   For a typical home network configuration this value should be 2 or 3.
  </p>
 </div>

 <div class="question">
  <a name="what_split">Packet Splitting Method</a>
 </div>
 <div class="answer">
  <p>
   The <i>Packet Splitting Method</i> control determines how packet splitting
   is implemented.
   The options are:
   <ul>
    <li> <b>Network layer</b>: Split packets at the network layer using
         IPv4 fragmentation.
    <li> <b>Transport layer</b>: Split packets at the transport (TCP) layer.
   </ul>
  </p>
  <p>
   <b><i>NOTE:</i></b> Splitting packets on the network layer is problematic.
   Some router/modems attempt to reassemble fragmented packets which 
   prevents the <i>network layer</i> method from working.
   It this recommended to use <i>transport layer</i> packet splitting.
  </p>
 </div>

 <div class="question">
  <a name="what_multi">Multi-route Enabled</a>
 </div>
 <div class="answer">
  <p>
   The <i>Multi-route Enabled</i> control determines whether packets from
   a single TCP flow can be split up over multiple tunnels (routes).
   In theory, TCP/IP should support this, however in practice it appears
   not to work for some web servers, so is disabled by default.
  </p>
 </div>

 <hr>
 <a name="log"><h2>Log Tab</h2></a>
 <div class="question">
  <a name="what_log">Log messages</a>
 </div>
 <div class="answer">
  <p>
   The log messages display what is going on.
   The types of log messages are:
   <ul>
    <li> <b>warnings</b> indicate some kind of problem.
    <li> <b>errors</b> indicate a serious problem that will cause $PROGRAM to
         exit.
    <li> <b>packets</b> indicate a tunneled packet.
    <li> <b>trace</b> very verbose messages (debugging.)
    <li> <b>log</b> Any other kind message.
   </ul>
  </p>
 </div>

 <div class="question">
  <a name="what_disp">Display Messages</a>
 </div>
 <div class="answer">
  <p>
   The <i>Display Messages</i> control determines the log message verbosity.
   The options are:
   <ul>
    <li> <b>All Messages</b>: Prints every kind of message.
    <li> <b>Packets &amp; Warnings</b>: Prints every kind of message
         except trace messages.
    <li> <b>Warnings</b>: Prints warning and error messages only.
    <li> <b>No Messages</b>: Does not print any message.
   </ul>
  </p>
 </div>


 <hr>
 <a name="tunnels"><h2>Tunnels</h2></a>
 <div class="question">
  <a name="what_url">What is a tunnel URL?</a>
 </div>
 <div class="answer">
  <p>
   Each tunnel is represented by a URL.
   The URL tells $PROGRAM how to connect to and use the tunnel.
   The URL syntax is:
   <pre>
    URL := TRANSPORT://HOST:PORT?ENCODINGS
   </pre>
   where:
   <ul>
    <li> <tt>TRANSPORT</tt>: is the transport protocol used by the tunnel.
         Currently the supported transport protocols are:
         <ul>
          <li> <tt>udp</tt>: uses UDP transport
          <li> <tt>ip</tt>: uses RAW IP packets as transport
          <li> <tt>ping</tt>: uses ICMP echo request/reply as transport
         </ul>
    <li> <tt>HOST</tt>: is either the host name or IP address of the server.
    <li> <tt>PORT</tt>: is the port number associated with the
         <tt>TRANSPORT</tt> protocol.
         For <tt>ip</tt> tunnels the port number is the IP protocol number.
    <li> <tt>ENCODINGS</tt>: specifies how the tunneled packets are encoded.
         The format for the <tt>ENCODINGS</tt> is
         <pre>
          ENCODINGS := ENCODING=OPTIONS+...+ENCODING=OPTIONS
          OPTIONS := OPTION.VALUE,...,OPTION.VALUE
         </pre>
         Currently the supported encodings are 
         <a href="#what_crypt"><tt>crypt</tt></a> and
         <a href="#what_pad"><tt>pad</tt></a>.
         Multiple encodings can be chained together using the <tt>+</tt>
         token.
         For such tunnels encodings are applied sequentially from the
         left-to-right.
   </ul>
   Examples:
   <pre>
    udp://reqrypt.org:58000?crypt=cipher.xxtea,cert.rQHEq2ky32DOaCopEMFVR0,sec.2888
    ip://tunnel2.reqrypt.org:99?pad=min.0,max.16
    udp://tunnel3.reqrypt.org:57000
    ip://tunnel.reqrypt.org:99?pad=min.0,max.32+crypt=cipher.xxtea,cert.rQHEq2ky32DOaCopEMFVR0
   </pre>
   The last example tunnel first applies the <tt>pad</tt> encoding followed by
   <tt>crypt</tt>.
  </p>
  <p>
   <b><i>NOTE:</i></b> Only tunnels that use the <tt>crypt</tt> encoding are
   encrypted.
   See <a href="#what_crypt">below</a> for more information.
  </p>   
 </div>

 <div class="question">
  <a name="what_crypt">What is the <tt>crypt</tt> encoding?</a>
 </div>
 <div class="answer">
  <p>
   The <tt>crypt</tt> encoding encrypts all tunneled packets.
   The options for the <tt>crypt</tt> encoding are:
   <ul>
    <li> <tt>cert</tt>: The tunnel's certificate hash value.
         This is used to authenticate the server $PROGRAM connects to.
    <li> <tt>cipher</tt>: The cipher used for encryption.
         Currently supported ciphers are <tt>aes</tt> and
         <tt>xxtea</tt> (128-bit blocks).
    <li> <tt>handshakepad</tt>: Adds randomized padding to <tt>crypt</tt>
         handshake packets to make traffic analysis more difficult.
    <li> <tt>sec</tt>: The 4 digit security setting.
         The digits are:
         <ul>
          <li> Handshake asymmetric key size: <tt>2</tt> = 1024 bits.
          <li> Key ID size: <tt>5</tt>-<tt>8</tt> bytes.
          <li> Initialization Vector (IV) size: <tt>4</tt>-<tt>8</tt> bytes.
          <li> Message Authentication Code (MAC) size:
               <tt>2</tt>-<tt>8</tt> bytes.
         </ul>
         The minimum security setting is <tt>2542</tt>, the maximum is
         <tt>2888</tt>, and the default is <tt>2653</tt>.
   </ul>
  </p>
  <p>
   <b><i>NOTE:</i></b> The <tt>handshakepad</tt> option only applies to
   <tt>crypt</tt> handshake packets.
   To add padding to non-handshake packets use the <tt>pad</tt> encoding
   in addition to <tt>crypt</tt>.
  </p>
 </div>

 <div class="question">
  <a name="what_pad">What is the <tt>pad</tt> encoding?</a>
 </div>
 <div class="answer">
  <p>
   The <tt>pad</tt> encoding adds randomized padding to the front of every
   tunnelled packet.
   The options are:
   <ul>
    <li> <tt>min</tt>: The minimum pad size between <tt>0</tt>-<tt>255</tt>
         bytes.
         The default is <tt>0</tt>.
    <li> <tt>max</tt>: The maximum pad size between <tt>0</tt>-<tt>255</tt>
         bytes.
         The default is <tt>16</tt>.
    <li> <tt>size</tt>: Fixed size padding between <tt>0</tt>-<tt>255</tt>
         bytes.
   </ul>
  </p>
  <p>
   <b><i>NOTE:</i></b> The <tt>pad</tt> encoding has two distinct modes.
   When <tt>min</tt> and/or <tt>max</tt> is specified, the length of the
   padding for each packet is randomly chosen from this range.
   When <tt>size</tt> is specified, the length of the padding is always fixed
   to the specified size.
   The <tt>size</tt> option is incompatible with <tt>min</tt>/<tt>max</tt>.
  </p>
 </div>
</div>
